_gnutls_hostname_compare: exponential slowdown with multiple wildcards

Kalle Olavi Niemitalo kon at iki.fi
Tue May 3 23:25:00 CEST 2011

I tried a few _gnutls_hostname_compare calls in GnuTLS 2.8.6.
The implementation in 2.10.5 is identical.

_gnutls_hostname_compare("*************a", 14, "bbbbbbbbbbbbbbb")
  returns 0 in 1 second.

_gnutls_hostname_compare("**************a", 15, "bbbbbbbbbbbbbbbb")
  returns 0 in 5 seconds.

_gnutls_hostname_compare("***************a", 16, "bbbbbbbbbbbbbbbbb")
  returns 0 in 15 seconds.

_gnutls_hostname_compare("****************a", 17, "bbbbbbbbbbbbbbbbbb")
  returns 0 in 63 seconds.

_gnutls_hostname_compare("*****************a", 18, "bbbbbbbbbbbbbbbbbbb")
  returns 0 in 243 seconds.

As you can see, the time grows exponentially as more characters
and wildcards are added.

I think the worst case of this function could be made a lot faster.
After a wildcard has been reached, there is never any need to
backtrack to a previous wildcard.  I'll probably implement such
an algorithm in ELinks, for use with OpenSSL.

Alternatively, I suppose you could just reject the whole pattern
if it has more than ten wildcards.  :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20110504/17abbafb/attachment.pgp>

More information about the Gnutls-devel mailing list